[go: up one dir, main page]

WO2023003113A1 - Procédé et dispositif pour faire fonctionner un terminal dans un système de communication sans fil - Google Patents

Procédé et dispositif pour faire fonctionner un terminal dans un système de communication sans fil Download PDF

Info

Publication number
WO2023003113A1
WO2023003113A1 PCT/KR2022/001228 KR2022001228W WO2023003113A1 WO 2023003113 A1 WO2023003113 A1 WO 2023003113A1 KR 2022001228 W KR2022001228 W KR 2022001228W WO 2023003113 A1 WO2023003113 A1 WO 2023003113A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
snpn
authentication
network
provisioning server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2022/001228
Other languages
English (en)
Korean (ko)
Inventor
김동주
김현숙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LG Electronics Inc
Original Assignee
LG Electronics Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by LG Electronics Inc filed Critical LG Electronics Inc
Priority to US18/571,609 priority Critical patent/US20240292219A1/en
Priority to EP22845985.5A priority patent/EP4376461A4/fr
Publication of WO2023003113A1 publication Critical patent/WO2023003113A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • H04W60/04Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration using triggered events
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier

Definitions

  • the following description relates to a wireless communication system and to a method and apparatus for operating a terminal. Specifically, it relates to a method for dynamically allocating a standalone NPN (SNPN) entitlement to which a terminal wants to access.
  • SNPN standalone NPN
  • a wireless access system is widely deployed to provide various types of communication services such as voice and data.
  • a wireless access system is a multiple access system capable of supporting communication with multiple users by sharing available system resources (bandwidth, transmission power, etc.).
  • Examples of the multiple access system include a code division multiple access (CDMA) system, a frequency division multiple access (FDMA) system, a time division multiple access (TDMA) system, an orthogonal frequency division multiple access (OFDMA) system, and a single carrier frequency (SC-FDMA) system. division multiple access) system.
  • CDMA code division multiple access
  • FDMA frequency division multiple access
  • TDMA time division multiple access
  • OFDMA orthogonal frequency division multiple access
  • SC-FDMA single carrier frequency division multiple access
  • eMBB enhanced mobile broadband
  • RAT radio access technology
  • a communication system considering reliability and latency-sensitive services/UE (user equipment) as well as mMTC (massive machine type communications) providing various services anytime and anywhere by connecting multiple devices and objects has been proposed. .
  • Various technical configurations for this have been proposed.
  • the present disclosure may provide a method and apparatus for operating a terminal in a wireless communication system.
  • the present disclosure may provide a method and apparatus for dynamically allocating qualifications of a SNPN to which a UE intends to access in a wireless communication system.
  • the present disclosure may provide a method and apparatus for a terminal to perform bi-directional authentication with an onboarding network in a wireless communication system.
  • the present disclosure may provide a method and apparatus for performing bidirectional authentication without supporting a proxy function in an onboarding network when a terminal performs bidirectional authentication with an onboarding SNPN (O-SNPN) in a wireless communication system.
  • O-SNPN onboarding SNPN
  • the present disclosure is to perform bidirectional authentication even if a default credential server (DCS) recognizes 5GS and does not support AUSF and UDM functions when a terminal performs bidirectional authentication with an onboarding SNPN (O-SNPN) in a wireless communication system.
  • DCS default credential server
  • O-SNPN onboarding SNPN
  • the terminal in a method for operating a terminal in a wireless communication system, the terminal generates a subscription concealed identifier (SUCI) by encrypting a unique identifier with a public key of a default credential server (DCS), the generated SUCI and a first Transmitting a registration request including a standalone non public network (SNPN) ID to the onboarding network, performing bidirectional authentication with the onboarding network, and when bidirectional authentication is completed, provisioning server address (PS_address) from the onboarding network and Receiving a provisioning server token (PS_token), transmitting a qualification request including a unique identifier and PS_token to a provisioning server based on the received PS_address, and receiving qualification of a first SNPN from the provisioning server.
  • SUCI subscription concealed identifier
  • DCS default credential server
  • PS_address provisioning server address
  • PS_token provisioning server token
  • a terminal operating in a wireless communication system at least one transceiver, at least one processor, and operatively connected to at least one processor, and when executed, at least one processor performs a specific operation. It includes at least one memory storing instructions (instructions) to be performed, and specific operations are: generating a subscription concealed identifier (SUCI) by encrypting a unique identifier with a public key of a default credential server (DCS), and generating a transceiver.
  • SUCI subscription concealed identifier
  • DCS default credential server
  • SNPN non public network
  • PS_address provisioning server address
  • PS_token provisioning server token
  • a registration request including a SUCI and a first SNPN ID from a terminal authenticating with a DCS based on the received registration request Transmitting an information request; receiving a response including at least one of a first certificate, a provisioning server address (PS_address), and a provisioning server token (PS_token) based on the authentication information request; based on the received response Performing bidirectional authentication with the terminal and, when the bidirectional authentication is completed, transmitting a PS_address and a PS_token to the terminal, wherein the terminal transmits an entitlement request including a unique identifier and a PS_token to a provisioning server based on the received PS_address. and may be provided with the qualification of the first SNPN from the provisioning server.
  • At least one transceiver, at least one processor, and at least one processor are operatively connected to the at least one processor, and when executed, the at least one processor performs a specific operation. and at least one memory for storing instructions to be performed, and the specific operation controls the transceiver to receive a registration request including the SUCI and the first SNPN ID from the terminal, and responds to the registration request received by the transceiver.
  • control to transmit an authentication information request to the DCS based on the authentication information request, and to receive a response including at least one of a first certificate, a provisioning server address (PS_address), and a provisioning server token (PS_token) based on the authentication information request.
  • control perform bi-directional authentication with the terminal based on the received response, and when the bi-directional authentication is completed, control the transceiver to transmit PS_address and PS_token to the terminal, but the terminal transmits a unique identifier to the provisioning server based on the received PS_address and PS_token, and may receive the first SNPN qualification from the provisioning server.
  • the at least one processor includes a default credential server (DCS) Generates a subscription concealed identifier (SUCI) by encrypting a unique identifier with a public key of, transmits a registration request including the generated SUCI and a first standalone non public network (SNPN) ID to the onboarding network, and interacts with the onboarding network Authentication is performed, and when two-way authentication is completed, the provisioning server address (PS_address) and provisioning server token (PS_token) information is received from the onboarding network, and based on the received PS_address, the provisioning server includes a unique identifier and a PS_token. Send a request, and be provided with the entitlement of the first SNPN from the provisioning server.
  • DCS default credential server
  • At least one executable by a processor Includes commands of, wherein at least one command generates a subscription concealed identifier (SUCI) by encrypting a unique identifier with a public key of a default credential server (DCS), and generates a SUCI and a first standalone non public network (SNPN) ID
  • SUCI subscription concealed identifier
  • DCS default credential server
  • SNPN first standalone non public network ID
  • Sends a registration request including to the onboarding network performs two-way authentication with the onboarding network, and when the two-way authentication is completed, receives provisioning server address (PS_address) and provisioning server token (PS_token) information from the onboarding network, , Based on the received PS_address, an entitlement request including a unique identifier and PS_token may be transmitted to the provisioning server, and the provisioning server may provide the entitlement of the first SNPN.
  • PS_address provisioning server address
  • PS_token provisioning server token
  • an access and mobility management function (AMF) of the onboarding network receives a registration request from a terminal, and the AMF includes the SUCI and the first SNPN ID to the authentication server function (AUSF) of the onboarding network. authentication may be requested.
  • AMF access and mobility management function
  • AUSF authentication server function
  • AMF when AMF requests authentication from AUSF, AMF may further transmit authentication method selection indication information to AUSF.
  • the AUSF may check the authentication method selection indication information and the domain information of the SUCI to search the DCS, and request information necessary for terminal authentication from the DCS.
  • information necessary for terminal authentication transmitted to the DCS includes SUCI, and the DCS decrypts the SUCI using a private key to generate a SUPI (subscriber identifier), and verifies a certificate mapped to the SUPI.
  • a first certificate capable of authentication can be generated, a PS_address of a provisioning server in charge of authentication of the first SNPN is generated based on the first SNPN ID, and a PS_token used by the provisioning server and the terminal for authentication can be generated.
  • AUSF receives a PS_address of a provisioning server in charge of authenticating a first SNPN based on a first certificate and a first SNPN ID from a DCS and PS_token information used by the provisioning server for terminal authentication can do.
  • a terminal may verify a unique identifier from DSC, a public key, a terminal certificate issued based on DCS, and a certificate of a top/intermediate certification authority capable of verifying a certificate of an onboarding network (Root/Intermediary CA Certificates) may be provided in advance.
  • bidirectional authentication may be performed based on an extensible authentication protocol (EAP-TLS) protocol.
  • EAP-TLS extensible authentication protocol
  • the onboarding network may be an onboarding-standalone non-public network (O-SNPN).
  • O-SNPN onboarding-standalone non-public network
  • the terminal may perform access to the first SNPN based on the qualification of the first SNPN transmitted from the provisioning server.
  • the present disclosure has an effect of providing a method of operating a terminal in a wireless communication system.
  • the present disclosure has an effect of providing a method for dynamically allocating a qualification of a SNPN to which a terminal intends to access in a wireless communication system.
  • the present disclosure has an effect of providing a method for a terminal to perform bi-directional authentication with an onboarding network in a wireless communication system.
  • a terminal when a terminal performs bidirectional authentication with an onboarding SNPN (O-SNPN) in a wireless communication system, it is possible to perform bidirectional authentication without supporting a proxy function in the onboarding network.
  • O-SNPN onboarding SNPN
  • the present disclosure is to perform bidirectional authentication even if a default credential server (DCS) recognizes 5GS and does not support AUSF and UDM functions when a terminal performs bidirectional authentication with an onboarding SNPN (O-SNPN) in a wireless communication system. can do.
  • DCS default credential server
  • O-SNPN onboarding SNPN
  • Effects obtainable in the embodiments of the present disclosure are not limited to the above-mentioned effects, and other effects not mentioned are technical fields to which the technical configuration of the present disclosure is applied from the description of the following embodiments of the present disclosure. can be clearly derived and understood by those skilled in the art. That is, unintended effects according to implementing the configuration described in the present disclosure may also be derived by those skilled in the art from the embodiments of the present disclosure.
  • FIG. 1 is a diagram illustrating various reference points.
  • E-UTRAN evolved universal terrestrial radio access network
  • FIG 3 is a diagram illustrating an example of an architecture of a general E-UTRAN and an evolved packet core (EPC).
  • EPC evolved packet core
  • FIG. 4 is a diagram illustrating an example of a structure of a radio interface protocol in a control plane between a user equipment (UE) and an evolved node B (eNB).
  • UE user equipment
  • eNB evolved node B
  • FIG. 5 is a diagram illustrating an example of a structure of an air interface protocol in a user plane between a UE and an eNB.
  • FIG. 6 is a diagram illustrating an example of an architecture of a general new radio (NR)-radio access network (RAN).
  • NR general new radio
  • RAN radio access network
  • FIG. 7 is a diagram illustrating an example of functional separation between a general NG-RAN and a 5th generation core (5GC).
  • FIG. 8 is a diagram illustrating an example of a general architecture of a 5th generation (5G) system.
  • FIG. 9 is a diagram illustrating an example of a wireless device applicable to the present disclosure.
  • FIG. 10 is a diagram illustrating another example of a wireless device applied to the present disclosure.
  • FIG. 11 is a diagram illustrating an example of a portable device applied to the present disclosure.
  • FIG. 12 is a diagram illustrating a method in which a terminal applied to the present disclosure performs access to a SNPN through qualifications of a qualification holder.
  • FIG. 13 is a diagram illustrating a method of dynamically receiving entitlement based on O-SNPN applied to the present disclosure.
  • 15 may be a one-way authentication method applied in the present disclosure.
  • 16 is a diagram illustrating a method of performing authentication applied to the present disclosure.
  • 17 is a diagram illustrating a method of performing authentication by a terminal applied to the present disclosure.
  • FIG. 18 is a diagram illustrating a terminal operation method applied to the present disclosure.
  • 19 is a diagram illustrating a terminal operation method applied to the present disclosure.
  • each component or feature may be considered optional unless explicitly stated otherwise.
  • Each component or feature may be implemented in a form not combined with other components or features.
  • an embodiment of the present disclosure may be configured by combining some elements and/or features. The order of operations described in the embodiments of the present disclosure may be changed. Some components or features of one embodiment may be included in another embodiment, or may be replaced with corresponding components or features of another embodiment.
  • a base station has meaning as a terminal node of a network that directly communicates with a mobile station.
  • a specific operation described as being performed by a base station in this document may be performed by an upper node of the base station in some cases.
  • the 'base station' is a term such as a fixed station, Node B, eNode B, gNode B, ng-eNB, advanced base station (ABS), or access point. can be replaced by
  • a terminal includes a user equipment (UE), a mobile station (MS), a subscriber station (SS), a mobile subscriber station (MSS), It may be replaced with terms such as mobile terminal or advanced mobile station (AMS).
  • UE user equipment
  • MS mobile station
  • SS subscriber station
  • MSS mobile subscriber station
  • AMS advanced mobile station
  • the transmitting end refers to a fixed and/or mobile node providing data service or voice service
  • the receiving end refers to a fixed and/or mobile node receiving data service or voice service. Therefore, in the case of uplink, the mobile station can be a transmitter and the base station can be a receiver. Similarly, in the case of downlink, the mobile station may be a receiving end and the base station may be a transmitting end.
  • Embodiments of the present disclosure are wireless access systems, such as an IEEE 802.xx system, a 3rd Generation Partnership Project (3GPP) system, a 3GPP Long Term Evolution (LTE) system, a 3GPP 5th generation (5G) New Radio (NR) system, and a 3GPP2 system. It may be supported by standard documents disclosed in at least one of, and in particular, the embodiments of the present disclosure are supported by 3GPP TS (technical specification) 38.211, 3GPP TS 38.212, 3GPP TS 38.213, 3GPP TS 38.321 and 3GPP TS 38.331 documents. can be supported
  • embodiments of the present disclosure may be applied to other wireless access systems, and are not limited to the above-described systems.
  • it may also be applicable to a system applied after the 3GPP 5G NR system, and is not limited to a specific system.
  • CDMA code division multiple access
  • FDMA frequency division multiple access
  • TDMA time division multiple access
  • OFDMA orthogonal frequency division multiple access
  • SC-FDMA single carrier frequency division multiple access
  • LTE may refer to technology after 3GPP TS 36.xxx Release 8.
  • LTE technology after 3GPP TS 36.xxx Release 10 may be referred to as LTE-A
  • xxx Release 13 may be referred to as LTE-A pro.
  • 3GPP NR may mean technology after TS 38.
  • 3GPP 6G may mean technology after TS Release 17 and/or Release 18.
  • "xxx" means standard document detail number.
  • LTE/NR/6G may be collectively referred to as a 3GPP system.
  • IP Multimedia Subsystem IP Multimedia Core Network Subsystem
  • IP Multimedia Core Network Subsystem An architectural framework for providing standardization for delivering voice or other multimedia services over IP.
  • Evolved Packet System A network system composed of an Evolved Packet Core (EPC), which is a packet switched core network based on IP (Internet Protocol), and access networks such as LTE and UTRAN.
  • EPC Evolved Packet Core
  • IP Internet Protocol
  • UMTS is an evolved form of network.
  • NodeB A base station of a UMTS network. It is installed outdoors and the coverage is macro cell scale.
  • - eNodeB Base station of EPS network. It is installed outdoors and the coverage is macro cell scale.
  • Base station of UMTS network installed indoors, coverage is micro cell scale
  • - Home eNodeB Base station of EPS network, installed indoors, coverage is micro cell scale
  • a terminal may be referred to by terms such as a terminal, a mobile equipment (ME), and a mobile station (MS).
  • the terminal may be a portable device such as a laptop computer, a mobile phone, a personal digital assistant (PDA), a smart phone, and a multimedia device, or may be a non-portable device such as a personal computer (PC) and a vehicle-mounted device.
  • the term terminal or terminal may refer to an MTC terminal.
  • MTC Machine Type Communication
  • M2M machine to machine
  • MTC UE or MTC device or MTC device
  • a terminal eg, vending machine, meters, etc.
  • Radio Access Network A unit including a Node B, a Radio Network Controller (RNC) that controls it, and an eNodeB in a 3GPP network. It exists at the terminal end and provides connection to the core network.
  • RNC Radio Network Controller
  • HLR Home Location Register
  • HSS Home Subscriber Server
  • the HSS may perform functions such as configuration storage, identity management, and user state storage.
  • PLMN Public Land Mobile Network
  • -NAS Non-Access Stratum: A functional layer for exchanging signaling and traffic messages between the terminal and the core network in the UMTS and EPS protocol stacks. Its main function is to support the mobility of the terminal and to support the session management procedure for establishing and maintaining the IP connection between the terminal and the PDN GW.
  • SCEF Service Capability Exposure Function
  • Mobility Management Entity Network node of EPS network that performs mobility management and session management functions
  • PDN-GW Packet Data Network Gateway
  • - Serving GW A network node of the EPS network that performs functions such as mobility anchor, packet routing, idle mode packet buffering, and triggering paging for the UE of the MME.
  • PCRF Policy and Charging Rule Function
  • OMA DM Open Mobile Alliance Device Management: A protocol designed to manage mobile devices such as mobile phones, PDAs, portable computers, etc., such as device configuration, firmware upgrade, error report, etc. performs the function of
  • OAM Operaation Administration and Maintenance
  • PDN Packet Data Network
  • servers supporting specific services eg, MMS server, WAP server, etc.
  • EMM EPS Mobility Management: As a sub-layer of the NAS layer, depending on whether the UE is network attached or detached, EMM is in either "EMM-Registered” or "EMM-Deregistered” state. There may be.
  • ECM connection Management a signaling connection for exchange of NAS messages established between the UE and the MME.
  • the ECM connection is a logical connection composed of an RRC connection between the UE and the eNB and an S1 signaling connection between the eNB and the MME.
  • the established ECM connection means having an RRC connection established with the eNB to the UE, and means having an S1 signaling connection established with the eNB to the MME.
  • the ECM may have a state of "ECM-Connected" or "ECM-Idle".
  • - AS Access-Stratum: It includes a protocol stack between the UE and the wireless (or access) network, and is responsible for transmitting data and network control signals.
  • MO Management Object
  • MO Management object used in the process of setting parameters (parameters) related to NAS functionality (Functionality) to the UE.
  • Packet Data Network A network in which servers supporting specific services (eg, MMS (Multimedia Messaging Service) server, WAP (Wireless Application Protocol) server, etc.) are located.
  • MMS Multimedia Messaging Service
  • WAP Wireless Application Protocol
  • - PDN connection a logical connection between the UE and the PDN, represented by one IP address (one IPv4 address and/or one IPv6 prefix).
  • APN Access Point Name: A string that indicates or identifies a PDN.
  • a specific P-GW is passed through. This means a predefined name (string) within the network to find this P-GW. (e.g. internet.mnc012.mcc345.gprs)
  • ANDSF Access Network Discovery and Selection Function: Provides a policy that allows the UE to discover and select available access in units of operators as a network entity.
  • EPC path (or infrastructure data path): User plane communication path through EPC
  • E-RAB E-UTRAN Radio Access Bearer: refers to the concatenation of the S1 bearer and the corresponding data radio bearer. If an E-RAB exists, there is a one-to-one mapping between the E-RAB and the EPS bearer of the NAS.
  • GTP - GPRS Tunneling Protocol
  • GTP A group of IP-based communications protocols used to carry the general packet radio service (GPRS) within GSM, UMTS and LTE networks.
  • GTP and proxy mobile IPv6 based interfaces are specified on various interface points.
  • GTP can be decomposed into several protocols (eg GTP-C, GTP-U and GTP').
  • GTP-C is used within a GPRS core network for signaling between Gateway GPRS Support Nodes (GGSN) and Serving GPRS Support Nodes (SGSN).
  • GTP-C allows the SGSN to activate a session for a user (eg, activate a PDN context), deactivate the same session, and adjust the quality of service parameters. ), or renewing a session for a subscriber that has just started operating from another SGSN.
  • GTP-U is used to carry user data within the GPRS core network and between the radio access network and the core network.
  • the three main requirement areas for 5G are (1) Enhanced Mobile Broadband (eMBB) area, (2) Massive Machine Type Communication (mMTC) area, and (3) Hyper-reliability and It includes the Ultra-reliable and Low Latency Communications (URLLC) area.
  • eMBB Enhanced Mobile Broadband
  • mMTC Massive Machine Type Communication
  • URLLC Ultra-reliable and Low Latency Communications
  • KPI key performance indicator
  • the 5G system is an advanced technology from the 4th generation LTE mobile communication technology, and new radio access technology (RAT: Radio Access Technology), LTE (Long As an extended technology of Term Evolution, eLTE (extended LTE) and non-3GPP (eg, WLAN) access are supported.
  • RAT Radio Access Technology
  • LTE Long As an extended technology of Term Evolution, eLTE (extended LTE)
  • non-3GPP eg, WLAN
  • the 5G system is defined as service-based, and the interaction between network functions (NFs) in the architecture for the 5G system can be represented in two ways as follows.
  • NFs network functions
  • Network functions eg, AMF
  • CP Control Plane
  • This representation also includes a point-to-point reference point where necessary.
  • the two gateways may be implemented according to a single gateway configuration option.
  • the MME is an element that performs signaling and control functions for supporting access to a network connection of a UE, allocation of network resources, tracking, paging, roaming, and handover.
  • the MME controls control plane functions related to subscriber and session management.
  • the MME manages numerous eNBs and performs signaling for selection of a conventional gateway for handover to other 2G/3G networks.
  • the MME performs functions such as security procedures, terminal-to-network session handling, and idle terminal location management.
  • the SGSN handles all packet data such as user mobility management and authentication to other 3GPP networks (eg, GPRS networks).
  • 3GPP networks eg, GPRS networks.
  • the ePDG acts as a secure node for untrusted non-3GPP networks (eg, I-WLAN, WiFi hotspots, etc.).
  • untrusted non-3GPP networks eg, I-WLAN, WiFi hotspots, etc.
  • a UE having IP capability can access IP provided by an operator (ie, an operator) via various elements in the EPC, not only based on 3GPP access but also on non-3GPP access.
  • a service network eg, IMS may be accessed.
  • reference points such as, for example, S1-U, S1-MME, etc. may connect two functions residing in different functional entities.
  • a conceptual link connecting two functions existing in different functional entities of E-UTRAN and EPC is defined as a reference point.
  • Table 1 summarizes reference points shown in FIG. 1 .
  • various reference points may exist according to the network structure.
  • S2a and S2b correspond to non-3GPP interfaces.
  • S2a is a reference point that provides the user plane with related control and mobility support between trusted non-3GPP access and PDN GWs.
  • S2b is a reference point that provides the user plane with related control and mobility support between ePDG and PDN GW.
  • E-UTRAN evolved universal terrestrial radio access network
  • the E-UTRAN system is a system evolved from the existing UTRAN system, and may be, for example, a 3GPP LTE/LTE-A system.
  • Communication networks are widely deployed to provide various communication services such as voice (eg, Voice over Internet Protocol (VoIP)) over IMS and packet data.
  • voice eg, Voice over Internet Protocol (VoIP)
  • VoIP Voice over Internet Protocol
  • the E-UMTS network includes an E-UTRAN, EPC and one or more UEs.
  • the E-UTRAN is composed of eNBs that provide control plane and user plane protocols to the UE, and the eNBs are connected through an X2 interface.
  • An X2 user plane interface (X2-U) is defined between eNBs.
  • the X2-U interface provides non-guaranteed delivery of user plane packet data units (PDUs).
  • An X2 control plane interface (X2-CP) is defined between two neighboring eNBs.
  • the X2-CP performs functions such as transfer of context between eNBs, control of a user plane tunnel between a source eNB and a target eNB, transfer of handover-related messages, and uplink load management.
  • the eNB is connected to the terminal through a radio interface and connected to an evolved packet core (EPC) through an S1 interface.
  • EPC evolved packet core
  • the S1 user plane interface (S1-U) is defined between the eNB and the serving gateway (S-GW).
  • An S1 control plane interface (S1-MME) is defined between an eNB and a mobility management entity (MME).
  • the S1 interface performs an evolved packet system (EPS) bearer service management function, a non-access stratum (NAS) signaling transport function, a network sharing function, and an MME load balancing function.
  • EPS evolved packet system
  • NAS non-access stratum
  • MME load balancing function The S1 interface supports a many-to-many-relation between the eNB and the MME/S-GW.
  • MME is NAS signaling security (security), AS (Access Stratum) security (security) control, CN (Core Network) inter-node (Inter-CN) signaling to support mobility between 3GPP access networks, (perform and control paging retransmission Including) IDLE mode UE reachability, Tracking Area Identity (TAI) management (for idle and active mode UEs), PDN GW and SGW selection, MME for handover in which MME is changed Selection, SGSN selection for handover to 2G or 3G 3GPP access networks, roaming, authentication, bearer management functions including dedicated bearer establishment, Public Warning System (PWS) System) (including the Earthquake and Tsunami Warning System (ETWS) and Commercial Mobile Alert System (CMAS)) message transmission.
  • PWS Public Warning System
  • ETWS Earthquake and Tsunami Warning System
  • CMAS Commercial Mobile Alert System
  • FIG 3 is a diagram illustrating an example of an architecture of a general E-UTRAN and an evolved packet core (EPC).
  • EPC evolved packet core
  • the eNB performs routing to the gateway, scheduling and transmission of paging messages, scheduling and transmission of broadcast channels (BCH), uplink and downlink while a Radio Resource Control (RRC) connection is active. It is possible to perform functions for dynamic allocation of resources to the UE, configuration and provision for eNB measurement, radio bearer control, radio admission control, and connection mobility control. Within the EPC, paging situations, LTE_IDLE state management, user plane encryption, SAE bearer control, NAS signaling encryption and integrity protection functions can be performed.
  • Annex J of 3GPP TR 23.799 shows various architectures combining 5G and 4G.
  • 3GPP TS 23.501 shows an architecture using NR and NGC.
  • FIG. 4 is a diagram illustrating an example of a structure of a radio interface protocol in a control plane between a user equipment (UE) and an evolved node B (eNB), and FIG. It is a diagram showing an example of the structure of the air interface protocol of
  • UE user equipment
  • eNB evolved node B
  • the air interface protocol is based on the 3GPP radio access network standard.
  • the air interface protocol consists of a physical layer, a data link layer, and a network layer horizontally, and a user plane for data information transmission and control vertically. It is divided into a control plane for signaling transmission.
  • the protocol layers are L1 (layer 1), L2 (layer 2), and L3 (layer 3) based on the lower 3 layers of the Open System Interconnection (OSI) standard model widely known in communication systems. ) can be distinguished.
  • OSI Open System Interconnection
  • the first layer provides an information transfer service using a physical channel.
  • the physical layer is connected to an upper medium access control layer through a transport channel, and data is transferred between the medium access control layer and the physical layer through the transport channel. Also, data is transferred between different physical layers, that is, between physical layers of a transmitting side and a receiving side through a physical channel.
  • a physical channel is composed of several subframes on the time axis and several subcarriers on the frequency axis.
  • one subframe is composed of a plurality of OFDM symbols and a plurality of subcarriers on the time axis.
  • One subframe consists of a plurality of resource blocks, and one resource block consists of a plurality of OFDM symbols and a plurality of subcarriers.
  • a transmission time interval (TTI) which is a unit time in which data is transmitted, is 1 ms corresponding to one subframe.
  • the physical channels existing in the physical layer of the transmitting side and the receiving side are data channels PDCSH (Physical Downlink Shared Channel) and PUSCH (Physical Uplink Shared Channel) and control channel PDCCH (Physical Downlink Control Channel), It can be divided into Physical Control Format Indicator Channel (PCFICH), Physical Hybrid-ARQ Indicator Channel (PHICH), and Physical Uplink Control Channel (PUCCH).
  • PCFICH Physical Control Format Indicator Channel
  • PHICH Physical Hybrid-ARQ Indicator Channel
  • PUCCH Physical Uplink Control Channel
  • the medium access control (MAC) layer of the second layer plays a role of mapping various logical channels to various transport channels, and also a logical channel that maps several logical channels to one transport channel. It plays a role of multiplexing.
  • the MAC layer is connected to the RLC layer, which is the upper layer, through a logical channel. It is divided into traffic channels that transmit user plane information.
  • the Radio Link Control (RLC) layer of the second layer segments and concatenates the data received from the upper layer to adjust the data size so that the lower layer is suitable for transmitting data over the radio section. play a role
  • the Packet Data Convergence Protocol (PDCP) layer of the second layer is relatively large in size and contains unnecessary control information in order to efficiently transmit IP packets such as IPv4 or IPv6 in a radio section with a small bandwidth. It performs a header compression (Header Compression) function that reduces the packet header size.
  • the PDCP layer also performs a security function, which consists of ciphering to prevent data interception by a third party and integrity protection to prevent data manipulation by a third party.
  • the Radio Resource Control (RRC) layer located at the top of the third layer is defined only in the control plane, and configures and resets radio bearers (Radio Bearer; abbreviated as RB). In relation to -configuration and release, it is responsible for controlling logical channels, transport channels, and physical channels.
  • RB means a service provided by the second layer for data transmission between the UE and the E-UTRAN.
  • the UE If an RRC connection is established between the RRC of the UE and the RRC layer of the wireless network, the UE is in RRC Connected Mode, otherwise it is in RRC Idle Mode. .
  • the RRC state indicates whether or not the RRC of the UE has a logical connection with the RRC of the E-UTRAN. When connected, it is called RRC_CONNECTED state, and when not connected, it is called RRC_IDLE state. Since the UE in the RRC_CONNECTED state has an RRC connection, the E-UTRAN can determine the existence of the corresponding UE in units of cells, and thus can effectively control the UE. On the other hand, the UE in the RRC_IDLE state cannot be detected by the E-UTRAN, and is managed by the core network in TA (Tracking Area) units, which are larger than cells.
  • TA Track Area
  • the UE in the RRC_IDLE state is only aware of the existence of the UE in a larger area unit than the cell, and the UE must transition to the RRC_CONNECTED state to receive normal mobile communication services such as voice and data.
  • Each TA is identified through a tracking area identity (TAI).
  • the UE may configure a TAI through a tracking area code (TAC), which is information broadcasted in a cell.
  • TAI tracking area identity
  • the UE When the user first turns on the power of the UE, the UE first searches for an appropriate cell, establishes an RRC connection in the cell, and registers UE information in the core network. After this, the UE stays in RRC_IDLE state. The UE staying in the RRC_IDLE state (re)selects a cell as needed and examines system information or paging information. This is referred to as camp on the cell.
  • camp on the cell When the UE remaining in the RRC_IDLE state needs to establish an RRC connection, it establishes an RRC connection with the RRC of the E-UTRAN through an RRC connection procedure and transitions to the RRC_CONNECTED state.
  • the UE in the RRC_IDLE state needs to establish an RRC connection. For example, sending a response message.
  • a non-access stratum (NAS) layer located above the RRC layer performs functions such as session management and mobility management.
  • NAS non-access stratum
  • the NAS layer shown in FIG. 4 will be described in detail below.
  • Evolved Session Management belonging to the NAS layer performs functions such as default bearer management and dedicated bearer management, and is in charge of controlling the UE to use the PS service from the network.
  • the default bearer resource has the characteristic of being allocated from the network when connecting to a specific Packet Data Network (PDN) for the first time.
  • PDN Packet Data Network
  • the network allocates an IP address that the UE can use so that the UE can use the data service, and also allocates the QoS of the default bearer.
  • LTE supports two types of bearers, a bearer with guaranteed bit rate (GBR) QoS characteristics that guarantees a specific bandwidth for data transmission/reception, and a non-GBR bearer with best effort QoS characteristics without guaranteeing bandwidth.
  • a non-GBR bearer is assigned.
  • a bearer having QoS characteristics of GBR or Non-GBR may be allocated.
  • a bearer allocated to the UE by the network is called an evolved packet service (EPS) bearer, and when the EPS bearer is allocated, the network allocates one ID. This is called the EPS Bearer ID.
  • EPS bearer ID One EPS bearer has QoS characteristics of maximum bit rate (MBR) and/or guaranteed bit rate (GBR).
  • an NG-RAN node may be one of the following.
  • the gNB and ng-eNB are connected to each other through the Xn interface.
  • gNB and ng-eNB provide access and mobility management function (AMF: Access and Mobility Management Function) through NG interface for 5GC, more specifically through NG-C interface, user plane function through NG-U interface ( Connected to UPF: User Plane Function (refer to 3GPP TS 23.501 [3]).
  • AMF Access and Mobility Management Function
  • FIG. 7 is a diagram illustrating an example of functional separation between a general NG-RAN and a 5th generation core (5GC). Referring to FIG. 7 , yellow boxes represent logical nodes and white boxes represent main functions.
  • gNB and ng-eNB host the following functions:
  • Radio resource management function radio bearer control in both uplink and downlink (scheduling), radio admission control, access mobility control, dynamic resource allocation to UE
  • AMF hosts the following key functions (see 3GPP TS 23.501 [3]).
  • UPF hosts the following key functions (see 3GPP TS 23.501 [3]).
  • the Session Management Function hosts the following key functions (see 3GPP TS 23.501 [3]).
  • FIG. 8 is a diagram illustrating an example of a general architecture of a 5th generation (5G) system. The following is a description of each reference interface and node in FIG. 8 .
  • Access and Mobility Management Function is signaling between CN nodes for mobility between 3GPP access networks, termination of Radio Access Network (RAN) CP interface (N2), NAS It supports functions such as termination of signaling (N1), registration management (registration area management), idle mode UE reachability, network slicing support, and SMF selection.
  • AMF Access Management Function
  • a data network means, for example, an operator service, Internet access, or a third party service.
  • the DN transmits a downlink protocol data unit (PDU) to the UPF or receives a PDU transmitted from the UE from the UPF.
  • PDU downlink protocol data unit
  • a policy control function provides a function of receiving packet flow information from an application server and determining policies such as mobility management and session management.
  • a session management function provides a session management function, and when a UE has multiple sessions, each session may be managed by a different SMF.
  • SMF Session Management Function
  • Unified Data Management (UDM: Unified Data Management) stores user subscription data and policy data.
  • User plane function (UPF: User plane function) forwards the downlink PDU received from the DN to the UE via (R) AN, and forwards the uplink PDU received from the UE to the DN via (R) AN. .
  • Application Function provides services (e.g., supports functions such as application impact on traffic routing, network capability exposure access, interaction with policy framework for policy control, etc.) interoperates with the 3GPP core network for
  • Radio Access Network (R)AN) is an evolved E-UTRA (evolved E-UTRA), which is an evolved version of 4G radio access technology, and a new radio access technology (NR: New Radio) ( For example, it is a generic term for a new radio access network supporting all gNBs).
  • E-UTRA evolved E-UTRA
  • NR New Radio
  • the gNB provides functions for radio resource management (i.e., Radio Bearer Control, Radio Admission Control, Connection Mobility Control), and dynamic resource dynamics for the UE in uplink/downlink. Functions such as dynamic allocation of resources (i.e., scheduling) are supported.
  • radio resource management i.e., Radio Bearer Control, Radio Admission Control, Connection Mobility Control
  • dynamic resource dynamics for the UE in uplink/downlink. Functions such as dynamic allocation of resources (i.e., scheduling) are supported.
  • a user equipment means a user equipment.
  • a conceptual link connecting NFs in the 5G system is defined as a reference point.
  • N1 is a reference point between UE and AMF
  • N2 is a reference point between (R)AN and AMF
  • N3 is a reference point between (R)AN and UPF
  • N4 is a reference point between SMF and UPF
  • N6 is a reference point between UPF and data network.
  • N9 is a reference point between two core UPFs
  • N5 is a reference point between PCF and AF
  • N7 is a reference point between SMF and PCF
  • N24 is a reference point between PCF in a visited network and PCF in a home network.
  • N8 is the reference point between UDM and AMF
  • N10 is the reference point between UDM and SMF
  • N11 is the reference point between AMF and SMF
  • N12 is the reference point between AMF and Authentication Server function (AUSF: Authentication Server function)
  • N13 is Reference point between UDM and AUSF
  • N14 is reference point between two AMFs
  • N15 is reference point between PCF and AMF in case of non-roaming scenario
  • N16 is the reference point between the two SMFs (in roaming scenarios, the reference point between the SMF in the visited network and the SMF between the home network)
  • N17 is the reference point between AMF and 5G-EIR (Equipment Identity Register)
  • N18 is the AMF and UDSF (Unstructured Data Storage Function)
  • N22 is the reference point between AMF and Network Slice Selection Function (NSSF)
  • N23 is the reference point between PCF and Network Data Analytics Function
  • FIG. 8 for convenience of description, a reference model for a case where a UE accesses one DN using one PDU session is illustrated, but is not limited thereto.
  • eNB is gNB
  • MM (mobility management) function of MME is AMF
  • SM function of S/P-GW is SMF
  • S/P-GW GW's user plane related functions can be replaced with 5G systems using UPF, etc.
  • FIG. 9 is a diagram illustrating an example of a wireless device applicable to the present disclosure.
  • a first wireless device 900a and a second wireless device 900b may transmit and receive wireless signals through various wireless access technologies (eg, LTE and NR).
  • ⁇ the first wireless device 900a, the second wireless device 900b ⁇ denotes the ⁇ wireless device 100x and the base station 120 ⁇ of FIG. 1 and/or the ⁇ wireless device 100x and the wireless device 100x.
  • can correspond.
  • the first wireless device 900a includes one or more processors 902a and one or more memories 904a, and may further include one or more transceivers 906a and/or one or more antennas 908a.
  • the processor 902a controls the memory 904a and/or the transceiver 906a and may be configured to implement the descriptions, functions, procedures, suggestions, methods and/or flowcharts of operations disclosed herein.
  • the processor 902a may process information in the memory 904a to generate first information/signal and transmit a radio signal including the first information/signal through the transceiver 906a.
  • the processor 902a may receive a radio signal including the second information/signal through the transceiver 906a and store information obtained from signal processing of the second information/signal in the memory 904a.
  • the memory 904a may be connected to the processor 902a and may store various information related to the operation of the processor 902a.
  • the second wireless device 900b includes one or more processors 902b, one or more memories 904b, and may further include one or more transceivers 906b and/or one or more antennas 908b.
  • the processor 902b controls the memory 904b and/or the transceiver 906b and may be configured to implement the descriptions, functions, procedures, suggestions, methods and/or operational flow diagrams disclosed herein.
  • the processor 902b may process information in the memory 904b to generate third information/signal, and transmit a radio signal including the third information/signal through the transceiver 906b.
  • the processor 902b may receive a radio signal including the fourth information/signal through the transceiver 906b and store information obtained from signal processing of the fourth information/signal in the memory 904b.
  • the memory 904b may be connected to the processor 902b and may store various information related to the operation of the processor 902b.
  • memory 904b may perform some or all of the processes controlled by processor 902b, or instructions for performing the descriptions, functions, procedures, suggestions, methods, and/or flowcharts of operations disclosed herein. It may store software codes including them.
  • the processor 902b and the memory 904b may be part of a communication modem/circuit/chip designed to implement a wireless communication technology (eg, LTE, NR).
  • a wireless communication technology eg, LTE, NR
  • the transceiver 906b may be coupled to the processor 902b and may transmit and/or receive wireless signals through one or more antennas 908b.
  • the transceiver 906b may include a transmitter and/or a receiver.
  • the transceiver 906b may be used interchangeably with an RF unit.
  • a wireless device may mean a communication modem/circuit/chip.
  • FIG. 10 is a diagram illustrating another example of a wireless device applied to the present disclosure.
  • a wireless device 1300 corresponds to the wireless devices 900a and 900b of FIG. 9, and includes various elements, components, units/units, and/or modules. ) can be configured.
  • the wireless device 1000 may include a communication unit 1010, a control unit 1020, a memory unit 1030, and an additional element 1040.
  • the communication unit may include communication circuitry 1012 and transceiver(s) 1014 .
  • communication circuitry 1012 may include one or more processors 902a, 902b of FIG. 9 and/or one or more memories 904a, 904b.
  • transceiver(s) 1014 may include one or more transceivers 906a, 906b of FIG.
  • the control unit 1020 is electrically connected to the communication unit 101010, the memory unit 1030, and the additional element 1040 and controls overall operations of the wireless device. For example, the control unit 1020 may control electrical/mechanical operations of the wireless device based on programs/codes/commands/information stored in the memory unit 1030. In addition, the control unit 1020 transmits the information stored in the memory unit 1030 to the outside (eg, another communication device) through the communication unit 1010 through a wireless/wired interface, or to the outside (eg, another communication device) through the communication unit 1010. Information received through a wireless/wired interface from other communication devices) may be stored in the memory unit 1030 .
  • the additional element 1040 may be configured in various ways according to the type of wireless device.
  • the additional element 1040 may include at least one of a power unit/battery, an input/output unit, a driving unit, and a computing unit.
  • the wireless device 1000 may be a robot, vehicle, XR device, portable device, home appliance, IoT device, digital broadcasting terminal, hologram device, public safety device, MTC device, medical device, fintech device (or financial device). devices), security devices, climate/environment devices, AI servers/devices, base stations, network nodes, and the like.
  • Wireless devices can be mobile or used in a fixed location depending on the use-case/service.
  • various elements, components, units/units, and/or modules in the wireless device 1000 may be entirely interconnected through a wired interface, or at least some of them may be wirelessly connected through the communication unit 1010.
  • the control unit 1020 and the communication unit 1010 are connected by wire, and the control unit 1020 and other components may be wirelessly connected through the communication unit 1010.
  • each element, component, unit/unit, and/or module within the wireless device 1000 may further include one or more elements.
  • the control unit 1020 may be composed of one or more processor sets.
  • control unit 1020 may include a set of a communication control processor, an application processor, an electronic control unit (ECU), a graphic processing processor, a memory control processor, and the like.
  • memory unit 1030 may include RAM, dynamic RAM (DRAM), ROM, flash memory, volatile memory, non-volatile memory, and/or combinations thereof. can be configured.
  • FIG. 11 is a diagram illustrating an example of a portable device applied to the present disclosure.
  • a portable device may include a smart phone, a smart pad, a wearable device (eg, a smart watch, a smart glass), and a portable computer (eg, a laptop computer).
  • a mobile device may be referred to as a mobile station (MS), a user terminal (UT), a mobile subscriber station (MSS), a subscriber station (SS), an advanced mobile station (AMS), or a wireless terminal (WT).
  • MS mobile station
  • UT user terminal
  • MSS mobile subscriber station
  • SS subscriber station
  • AMS advanced mobile station
  • WT wireless terminal
  • a portable device 1100 includes an antenna unit 1108, a communication unit 1110, a control unit 1120, a memory unit 1130, a power supply unit 1140a, an interface unit 1140b, and an input/output unit 1140c. ) may be included.
  • the antenna unit 1108 may be configured as part of the communication unit 1110. Blocks 1110 to 1130/1140a to 1140c respectively correspond to blocks 1010 to 1030/1040 of FIG. 10 .
  • the communication unit 1110 may transmit/receive signals (eg, data, control signals, etc.) with other wireless devices and base stations.
  • the controller 1120 may perform various operations by controlling components of the portable device 1100 .
  • the controller 1120 may include an application processor (AP).
  • the memory unit 1130 may store data/parameters/programs/codes/commands necessary for driving the portable device 1100 . Also, the memory unit 1130 may store input/output data/information and the like.
  • the power supply unit 1140a supplies power to the portable device 1100 and may include a wired/wireless charging circuit, a battery, and the like.
  • the interface unit 1140b may support connection between the portable device 1100 and other external devices.
  • the interface unit 1140b may include various ports (eg, audio input/output ports and video input/output ports) for connection with external devices.
  • the input/output unit 1140c may receive or output image information/signal, audio information/signal, data, and/or information input from a user.
  • the input/output unit 1140c may include a camera, a microphone, a user input unit, a display unit 1140d, a speaker, and/or a haptic module.
  • the input/output unit 1140c acquires information/signals (eg, touch, text, voice, image, video) input from the user, and the acquired information/signals are stored in the memory unit 1130.
  • the communication unit 1110 may convert the information/signal stored in the memory into a wireless signal, and directly transmit the converted wireless signal to another wireless device or to a base station.
  • the communication unit 1110 may receive a radio signal from another wireless device or base station and then restore the received radio signal to original information/signal. After the restored information/signal is stored in the memory unit 1130, it may be output in various forms (eg, text, voice, image, video, or haptic) through the input/output unit 1140c.
  • a private network may be configured and a non-public network (NPN) function may be provided.
  • NPN can be divided into a public network integrated NPN (PNI-NPN) supported through a public network and a standalone NPN (SNPN) constructing a separate network.
  • PNI-NPN public network integrated NPN
  • SNPN standalone NPN
  • the UE needs to possess credentials of the corresponding NPN in advance in order to access each NPN. That is, the terminal can access only through an NPN that has qualifications in advance.
  • the terminal does not always hold the qualifications in advance, but receives the qualifications dynamically and accesses the corresponding NPN.
  • the UE when a UE is dynamically allocated a qualification, there is a need for the UE to be dynamically allocated a corresponding SNPN qualification while maintaining security, which will be described below.
  • the PNI-NPN may be an NPN available through the PLMN.
  • the terminal when the terminal wants to access the NPN through the PNI-NPN, the terminal may need to subscribe to the PLMN for PNI-NPN access.
  • the SNPN may be a network that does not depend on the public network and operates independently. Accordingly, SNPN may not support interworking with evolved packet system (EPS) and may not support emergency services. As another example, SNPN may not support a roaming service, and is not limited to a specific embodiment. That is, the SNPN may be a private network operated independently of a public network. The following describes a method of receiving qualifications through authentication in an onboarding process based on SNPN, but may not be limited thereto.
  • EPS evolved packet system
  • the terminal when the terminal wants to access the SNPN, the terminal may access the SNPN through the PLMN or perform a direct connection to the SNPN, but is not limited to a specific embodiment.
  • a case in which a terminal performs a direct connection to a SNPN is described as a standard, but is not limited thereto.
  • the terminal when a terminal wants to access a SNPN, the terminal has qualifications of the SNPN to be accessed, and can access the SNPN based on this.
  • the terminal may dynamically be assigned a credential through the credential of a credential holder (CH) having SNPN credential, and perform access to the SNPN through the assigned credential.
  • CH credential holder
  • the terminal is not fixed and may perform access to SNPNs located in various areas based on mobility.
  • the terminal since there is a limit for the terminal to possess all SNPN qualifications, the terminal needs to be dynamically allocated the qualifications of the SNPN to be accessed based on the qualification holders.
  • FIG. 12 is a diagram illustrating a method in which a terminal applied to the present disclosure performs access to a SNPN through qualifications of a qualification holder.
  • the UE is assigned the qualification of the SNPN 1220 to be accessed through the qualification of the qualification holder 1210, and can access the SNPN 1220.
  • an authentication, authorization, and accounting (AAA) server for SNPN access qualification may be located outside the SNPN.
  • the AAA server may be a server that manages authentication based on the terminal verification process, authorization based on the terminal verification, and terminal account.
  • the qualification holder 1210 may perform authentication for the terminal based on the above-described AAA server and provide the terminal with the qualification of the SNPN 1220 to be accessed.
  • configuration information for SNPN connection may be broadcast through an NG-RAN node providing SNPN connection.
  • the broadcasted information may include at least one of at least one PLMN ID and NID list information identifying an NPN accessible through the NG-RAN per PLMN ID.
  • the information to be broadcast is an indicator indicating whether access support is possible through the qualification of an external qualification holder for each SNPN, a list of GNIs supported per SNPN, and each SNPN To explicitly select a SNPN It may further include at least one or more of indicator information indicating whether or not to allow registration attempts for terminals not instructed, and is not limited to a specific embodiment.
  • the terminal acquires at least one of a PLMN ID and a network identifier (NID) of the SNPN for each SNPN to which it subscribes can do.
  • NID network identifier
  • a terminal capable of SNPN connection may acquire at least one or more information of a subscriber identifier (SUPI) and credentials.
  • SUPI subscriber identifier
  • a terminal capable of SNPN connection obtains at least one of an N3IWF fully qualified domain name (FQDN) and an identifier of a country where the N3IWF is located as information related to a non-3GPP interworking function (N3IWF) for access to a non-3GPP access network. It can, but is not limited to this.
  • the UE when SNPN access is supported by using the qualification of a qualification holder for each subscribed SNPN, the UE provides preferred SNPN list information controlled by the UE, preferred SNPN list information controlled by the qualification holder, and At least one of the GIN list information controlled by the qualification holder may be further acquired, but is not limited thereto.
  • preferred SNPN list information controlled by the qualification holder and GIN list information controlled by the qualification holder may be updated by the qualification holder.
  • the above-described information acquired by the terminal may be broadcast by the NG-RAN, as described above.
  • a method for selecting a SNPN by the UE may be considered.
  • a terminal capable of SNPN access may perform SNPN selection based on a SNPN access mode.
  • the terminal can perform access only through the SNPN, but is not limited thereto.
  • a terminal in which the SNPN access mode is set may perform a connection through SNPN.
  • the terminal may perform network selection based on whether SNPN access is supported through the qualifications of the qualification holder.
  • the terminal may first access the last connected SNPN. If it is impossible to access the last connected SNPN first, the terminal may perform access to the SNPN identified by the SUPI of the terminal and the PLMN ID or NID holding the qualification.
  • the terminal may perform access through an available SNPN.
  • the available SNPN may be determined based on at least one of preferred SNPN list information controlled by the terminal, preferred SNPN list information controlled by the qualification holder, and GIN list information controlled by the qualification holder.
  • a SNPN that is not included in the preferred SNPN list information controlled by the qualification holder and the GIN list information controlled by the qualification holder and is not explicitly indicated from the network but is available to the qualification holder in the terminal
  • An available SNPN may be determined and is not limited to a specific embodiment.
  • one entitlement could correspond to one SNPN ID in the past, but based on the above, a plurality of entitlements may exist in one SNPN ID, and a plurality of SNPN IDs may exist in one entitlement and is not limited to a specific form.
  • the terminal can perform access by selecting one SNPN based on available SNPNs.
  • the terminal checks a list of SNPNs supporting access through the qualifications of the qualification holder, and sets it as an available SNPN. , may not be limited to a specific form.
  • the UE may perform SNPN selection based on available SNPNs.
  • the terminal may configure a list of subscriber data and perform SNPN selection based on the subscription data list.
  • the subscription data list may include at least one of SUPI type subscriber ID, entitlement information, and SNPN identifier.
  • the subscription data list may include setting information for each SNPN based on the terminal, and validity information for each SNPN may be recorded.
  • the terminal may not perform a connection to a SNPN whose validity is set to be invalid in the subscription data list.
  • the terminal may not perform a connection to the invalid SNPN until the USIM is newly inserted or the power is turned on again.
  • a terminal capable of SNPN connection may support SNPN access using the credentials of a credential holder (CH). It can perform authentication and provide access rights.
  • CH credential holder
  • the AAA server of the qualification holder may authenticate and authorize the SNPN connection of the terminal.
  • the AAA server may be a server that manages authentication based on the terminal verification process, authorization based on the terminal verification, and terminal account.
  • an authentication server function (AUSF) of the SNPN may authenticate and authorize a terminal based on credentials provided from an AAA server in a credential holder.
  • the AUSF searches for and selects the AAA server to authenticate the extensible authentication protocol (EAP) message first
  • EAP extensible authentication protocol
  • SUPI may be used as information for identifying the terminal.
  • the AMF and SMF of the SNPN may read UE subscription information from the UDM based on the above-described SUPI.
  • the terminal can perform authentication through the qualifications of the qualification holder to obtain the authority for the SNPN connection and perform the SNPN connection.
  • an onboarding process and a provisioning process may be required for a terminal to access an NPN.
  • the onboarding process may refer to a role in which an onboarding SNPN (O-SNPN) in charge of the onboarding process authenticates a terminal and provides connectivity to a provisioning server managing SNPN qualifications.
  • O-SNPN onboarding SNPN
  • the O-SNPN is a SNPN in charge of onboarding and may be included in the SNPN as a logical entity or may be a SNPN separate from the SNPN, and may not be limited to a specific form.
  • the provisioning process may mean a role of providing SNPN qualifications to the terminal after verifying whether or not the terminal connected through the onboarding process has access authority. That is, the terminal may perform authentication in the onboarding process through the O-SNPN, and based on this authentication may be dynamically allocated through the provisioning server in the provisioning process and perform access through the SNPN.
  • a terminal that does not previously possess SNPN credentials can dynamically and safely receive the credential to perform SNPN access and use the service.
  • a terminal 1310 may dynamically access the SNPN 1340 by receiving qualifications of the SNPN 1340 .
  • the terminal may not have the qualification of the corresponding SNPN 1340 and may be dynamically provided with the qualification based on the O-SNPN 1320.
  • an onboarding process and a provisioning process may be required in order for a terminal to dynamically receive SNPN qualification.
  • the onboarding process may mean that the SNPN (ie, O-SNPN, 1320) in charge of the onboarding process authenticates the terminal and provides connectivity to a provisioning server (1330) that manages SNPN qualifications.
  • the terminal 1310 may transmit a registration and authentication request to the O-SNPN 1320 and obtain a registration response and provisioning server address information from the O-SNPN 1320. Through this, the terminal may be provided with connectivity of the provisioning server 1330 .
  • the provisioning process may refer to a role of providing the terminal with the qualification of the SNPN 1340 after verifying whether the terminal connected through the onboarding process has access authority.
  • the terminal 1310 may transmit an entitlement request to the provisioning server 1330, and the provisioning server 1330 may perform authentication based on the entitlement request.
  • the provisioning server 1330 may share a credential fetch with the SNPN 1340 to which the terminal 1310 wants to access, and provide the terminal 1310 with the credentials of the corresponding SNPN 1340 based on this. there is.
  • the terminal 1310 may cancel registration from the O-SNPN 1320. After that, the terminal 1310 may perform access to the corresponding SNPN 1340 based on the acquired qualification.
  • an operation for how to perform authentication between the terminal and the O-SNPN may be required.
  • an authentication method for O-SNPN may be required. . That is, there is a need to ensure authentication between the terminal and the O-SNPN, and an authentication operation for this may be required.
  • connectivity may be provided based on a control plane or connectivity may be provided based on a user plane, and may not be limited to a specific form.
  • the provisioning server may be located outside, and the terminal may be dynamically assigned a qualification due to mutual authentication between the terminal and the provisioning server. Accordingly, specific methods for performing mutual authentication between the terminal and the provisioning server may be required.
  • a method of performing mutual authentication between the terminal and the O-SNPN and performing mutual authentication between the terminal and the provisioning server may be as shown in FIG. 14 in consideration of the above.
  • FIG. 14 may be a two-way authentication scheme applied in the present disclosure.
  • a terminal can be provided with a basic credential (e.g. private key or certificate) that can be used for future onboarding authentication based on the terminal manufacturer at the time of manufacture and a unique ID that can be distinguished within the manufacturer.
  • the unique ID may be in the form of a network access identifier (NAI) (e.g. username@domain). That is, the terminal 1410 may have basic qualifications and a unique ID that can be used for onboarding authentication in advance.
  • NAI network access identifier
  • the terminal 1410 may search for and select a nearby O-SNPN 1420 and transmit a registration request including a unique ID.
  • the AMF 1420-1 of the O-SNPN 1420 may check the registration process with the terminal and transmit the registration message to the AUSF 1420-2 in charge of authentication.
  • the UE may not possess the qualifications for the O-SNPN 1420 itself, only possessing the basic qualifications and the unique ID.
  • the AUSF 1420-2 may establish a business contract with a manufacturer default credential server (DCS) 1420 in advance for authentication, and may have an external interface.
  • the DCS 1420 may be located inside or outside the O-SNPN 1420, and is not limited to a specific embodiment.
  • the AUSF 1420-2 may form an interface with the DCS 1430 in advance, and may request authentication based on the configured interface. That is, for authentication of the terminal 1410, the AUSF 1420-2 and the DCS 1430 may require a secure connection as a pre-formed external interface.
  • the DCS 1430 is an existing AAA server
  • the AUSF 1420-2 needs to perform a role of a proxy that converts a 5GS service based interface (SBI) to an external AAA interface. That is, the AUSF 1420-2 needs to have a proxy function.
  • the DCS 1430 recognizes 5GS and supports the AUSF and UDM functions, the AUSF 1420-2 of the O-SNPN can play a role in transmitting the registration message in both directions. .
  • the AUSF 1420-2 in order for the AUSF 1420-2 and the DCS 143 to perform a secure connection based on the interface, the AUSF 1420-2 must have a proxy function or support the AUSF and UDM functions based on the DCS 1430 5GS. There is a need.
  • the AUSF 1420-2 checks the domain part in the received registration message, checks and selects the DCS 1430 to perform the connection, and requests start of authentication between the terminal 1410 and the DCS 1430. there is. After that, the terminal 1410 and the DCS 1430 may perform mutual authentication.
  • the mutual authentication method may use an EAP protocol supported by a manufacturer, and if authentication is successful, the DCS 1430 may transmit an authentication result to the AUSF 1420-2.
  • the DCS 1430 may deliver the address of the provisioning server 1440 that manages the qualification of the SNPN that the terminal 1410 wants to access to the terminal 1410 .
  • the DCS 1430 and the PS 1440 may have an interface based on a contract in advance.
  • the terminal 1410 may transmit a message requesting the qualification of the corresponding SNPN to the provisioning server 1440 based on the terminal ID (UE ID).
  • the transmission path of the message requesting the qualification of the corresponding SNPN may be performed through the user plane with which the PDU session is established through the O-SNPN 1420.
  • the transmission path of the message requesting the qualification of the corresponding SNPN may be performed through a control plane connected to NFs of the O-SNPN 1420, and may not be limited to a specific form.
  • the provisioning server 1440 may perform verification on the terminal 1410 and provide the terminal 1410 with the qualification of the corresponding SNPN.
  • bidirectional authentication can be performed for the terminal and the O-SNPN 1420, but the AUSF 1420-2 performs a proxy function in consideration of the interface between the AUSF 1420-2 and the DCS 1430. Considering that it is necessary to perform authentication or the DCS 1430 recognizes 5GS and supports AUSF and UDM functions, bidirectional authentication may have limitations.
  • a terminal 1510 provides a basic credential (e.g. private key or certificate) that can be used for future onboarding authentication based on the terminal manufacturer at the time of manufacture and a unique ID that can be distinguished within the manufacturer. can receive
  • the unique ID may be in the form of a network access identifier (NAI) (e.g. username@domain). That is, the terminal 1510 may have basic qualifications and a unique ID that can be used for onboarding authentication in advance.
  • NAI network access identifier
  • the terminal 1510 may search for and select a nearby O-SNPN 1520 and transmit a registration request including a unique ID.
  • the AMF 1520-1 of the O-SNPN 1520 may check the registration process with the terminal and transmit the registration message to the AUSF 1520-2 in charge of authentication.
  • the AUSF 1520-2 may perform one-way primary authentication. In this case, one-way authentication may mean that the terminal 1510 verifies the O-SNPN 1520 and the O-SNPN 1520 does not verify the terminal 1510.
  • EAP-TLS extendensible authentication protocol-transport layer security
  • EAP-TLS is an extensible authentication protocol and can be used for secure authentication in wireless LAN hardware and software.
  • the O-SNPN certificate is delivered to the terminal, and the terminal can verify the O-SNPN through the Root-of-trust certificate provided through the basic qualifications that can be used for onboarding authentication. there is. That is, it may be a one-way authentication in which only the terminal 1510 authenticates the O-SNPN 1520 and the O-SNPN 1520 does not authenticate the terminal 1510.
  • verification of the terminal may be performed by performing secondary authentication with the DCS 1530.
  • the SMF 1520-3 of the O-SNPN 1520 may select the DCS 1530 through the domain part of the terminal ID.
  • the DCS 1530 may perform authentication based on the terminal ID and basic qualifications.
  • the DCS 1530 may deliver the address of the provisioning server 1540 that manages the qualification of the SNPN that the terminal 1510 wants to access to the terminal 1510 .
  • the DCS 1530 and the PS 1540 may have an interface based on a contract in advance.
  • the terminal 1510 may transmit a message requesting qualification of the corresponding SNPN to the provisioning server 1540 based on the terminal ID (UE ID).
  • the transmission path of the message requesting the qualification of the corresponding SNPN may be performed through the user plane with which the PDU session is established through the O-SNPN 1520.
  • the transmission path of the message requesting the qualification of the corresponding SNPN may be performed through a control plane connected to NFs of the O-SNPN 1520, and may not be limited to a specific form.
  • the provisioning server 1540 may perform verification on the terminal 1510 and provide the terminal 1510 with the qualification of the corresponding SNPN.
  • the terminal 1510 authenticates only the O-SNPN 1520 and the O-SNPN 1520 does not authenticate the terminal 1510, a DoS attack may be possible and security may be vulnerable. .
  • the terminal can perform authentication based on bi-directional authentication (FIG. 14 method) and uni-directional authentication (FIG. 15 method).
  • authentication may be performed based on FIG. 14 as bi-directional authentication in consideration of security.
  • authentication based on the method of FIG. 14 may require an AUSF proxy to support an existing AAA server, and a manufacturer DCS may need to implement a 5GS core function. That is, security can be increased based on FIG. 14, but the above-described functions may be required.
  • a separate 5G core system change may not be required, but unidirectional authentication may be vulnerable to security such as DoS attack by omitting terminal authentication, as described above.
  • FIG. 16 is a diagram illustrating a method of performing authentication applied to the present disclosure.
  • FIG. 16 may be an improved authentication method by supplementing the disadvantages of the methods of FIGS. 14 and 15 described above.
  • the terminal 1610 may perform primary authentication with the AUSF 1620-1 as described above.
  • the terminal 1610 may obtain a public key from the DCS 1630 during a manufacturing process. That is, the terminal 1610 may have the above-described basic qualification information and the public key for the DCS 1630 in advance.
  • the UE 1610 may generate SUCI based on the public key of the DCS 1630 and request registration with the AUSF 1620-1 through the SUCI.
  • the AUSF 1620 - 2 may check the DCS 1630 for the terminal 1610 through SUCI, and request authentication information from the checked DCS 1630 . That is, unlike FIG. 14, the O-SNPN 1620 does not request authentication of the terminal 1610 to the DCS 1630, but transmits information for performing authentication of the terminal 1610 to the DCS 1630.
  • the authentication information request transmitted by the AUSF 1620-2 may include the above-described SUCI information, and the DCS 1630 transmits information necessary for authentication of the terminal 1610 to the AUSF 1620-2 based on the SUCI. can provide That is, the AUSF 1620-2 may receive root-of-trust certificates of the terminal based on the authentication information request from the DCS 1630.
  • the AUSF 1620-2 may receive SUPI information from the DCS 1630.
  • the AUSF 1620 - 2 may further receive provisioning server address information (PS_address) and provisioning token information (PS_token) required to perform authentication with the provisioning server in the future. Then, the AUSF 1620-2 performs both authentication based on the terminal 1610 and EAP-TLS based on the received information, and transmits provisioning server address information (PS_address) and provisioning token information (PS_token) to the terminal. (1610).
  • the terminal 1610 may be provided with a basic credential (e.g. private key or certificate) that can be used for future onboarding authentication based on the terminal manufacturer at the time of manufacture and a unique ID that can be distinguished within the manufacturer. there is.
  • the unique ID may be in the form of a network access identifier (NAI) (e.g. username@domain). That is, the terminal 1610 may have basic qualifications and a unique ID that can be used for onboarding authentication in advance.
  • NAI network access identifier
  • the terminal 1610 may search for and select a nearby O-SNPN 1620 and transmit a registration request including the SUCI generated based on the unique ID.
  • the AMF 1620-1 of the O-SNPN 1620 may check the registration process with the terminal and transmit the registration message to the AUSF 1620-2 in charge of authentication.
  • the AUSF 1620-2 may determine to perform a bi-directional authentication process.
  • the AUSF 1620-2 may request information necessary for authentication, including a terminal ID and a target SNPN ID, from the DCS 1630.
  • a contractual relationship between the O-SNPN 1620 and the DCS 1630 may exist in advance, and is not limited to a specific embodiment.
  • the DCS 1630 provides the O-SNPN 1620 with the root-of-trust certificates of the terminal 1610, SUPI, the provisioning server address (PS_address) that manages the qualification of the SNPN, and authentication with the corresponding PS. You can pass the PS token (PS_token) required for this.
  • the AUSF 1620-2 of the O-SNPN may perform two-way primary authentication based on the EAP-TLS protocol with the terminal 1610 using the information received from the DCS 1630. . Then, when the authentication is completed, the AUSF 1620-2 can deliver the provisioning server address that manages the SNPN qualifications the terminal wants to access and the PS token used by the provisioning server 1640 for terminal authentication to the terminal 1610. there is.
  • the terminal 1610 may transmit a corresponding SNPN entitlement request message to the provisioning server 1640 based on the provided provisioning server address information.
  • the entitlement request message may include a terminal ID and a PS token.
  • a contract may exist between the DCS 1630 and the PS 1640, and is not limited to a specific embodiment.
  • the transmission path may be a user plane having a PDU session through the O-SNPN 1620.
  • the transmission path may be a control plane connecting NFs of the O-SNPN, and may not be limited to a specific form.
  • the provisioning server 1640 may specify the DCS 1630 with the domain part of the received terminal ID and transmit the terminal ID and PS token to the corresponding DCS 1630 to request authentication.
  • the DCS 1630 may perform authentication based on whether the corresponding terminal ID is the same as the PS token issued during onboarding, and may return an authentication result to the provisioning server 1640.
  • the provisioning server 1640 may transfer the qualification of the corresponding SNPN to the terminal 1610 .
  • the terminal 1710 may hold basic qualifications in advance as described above.
  • the terminal 1710 is a certificate (Root / Intermediary CA Certificates) may be provided, and is not limited to the above-described embodiment.
  • the terminal 1710 must encrypt the unique identifier with the public key of the manufacturer server to generate SUCI (Subscription Concealed Identifier).
  • the terminal 1710 may transmit a registration request including an SNPN ID to access the SUCI to the AMF/SEAF 1720 of the O-SNPN.
  • the AMF/SEAF 1720 may transmit an authentication request (e.g. Nausf_UEAuthentication_ AuthenticateRequest) including the SUCI and SNPN ID to the AUSF 1730.
  • the authentication request may include SUCI and serving network name (SN-name) information.
  • the AMF/SEAF 1720 may further deliver instruction information that helps the AUSF 1730 select an authentication method, and is not limited to a specific embodiment.
  • the AUSF 1730 may select an authentication method based on the domain part of the SUCI and the authentication method selection indication information described above. That is, the AUSF 1730 may select an authentication method based on the domain part of the received SUCI and the instruction received from the AMF 1720. At this time, as an example, the AUSF 1730 may select whether to perform mutual authentication with the DCS 1740 based on the corresponding terminal 1710 and the EAP-TLS protocol.
  • the AUSF 1730 may search the DCS 1740 through the domain part of the SUCI and request information necessary for authentication from the terminal 1710. That is, the AUSF 1730 may transmit an authentication information request message to the DCS 1740.
  • the authentication information request message may include SUCI and may be delivered to the DCS 1740 through IP.
  • the DCS 1740 may generate SUPI by decrypting the SUCI encrypted with the public key through the private key.
  • the DCS 1740 transmits the certificates of top-level and intermediate certification authorities capable of verifying certificates mapped to SUPI, the provisioning server address in charge of authenticating the SNPN based on the received SNPN ID, and PS token information to the network. can reply
  • the DCS 1740 may deliver a response including root-of-trust certificates, PS address, PS token, and SUPI to the AUSF 1730 based on the request of the AUSF 1730.
  • the AUSF 1730 may transfer an authentication response (e.g Nausf_UE Authentication_AuthenticateResponse) to the AMF/SEAF 1720.
  • Bi-directional mutual authentication may be performed based on at least one of them.
  • the AMF/SEAF 1720 may transmit an authentication request message to the terminal 1710 based on EAP-TLS for bidirectional authentication.
  • the UE 1710 may transmit an authentication response message to the AMF/SEAF 1720 based on EAP-TLS.
  • the AMF/SEAF 1720 may transmit an authentication request (e.g. Nausf_UEAuthentication_AuthenticateRequest) based on EAP-TLS from the terminal to the AUSF 1730.
  • the AUSF 1730 may perform terminal authentication and deliver an authentication response (e.g. Nausf_UEAuthentication_AuthenticateResponse) to the AMF/SEAF 1720.
  • the terminal can authenticate the network.
  • the AMF/SEAF 1720 may transfer the authentication request to the terminal 1710 and receive an authentication response from the terminal 1710.
  • the AMF/SEAF 1720 may transmit an authentication request (e.g. Nausf_UEAuthentication_AuthenticateRequest) to the AUSF 1730, and the AUSF 1740 may transmit an authentication response (e.g. Nausf_UEAuthentication_AuthenticateResponse) to the AMF/SEAF 1730.
  • the network may also authenticate the terminal. That is, bi-directional authentication may be performed through the above.
  • the AMF/SEAF 1730 may exchange authentication request/response messages with the terminal 1710 and exchange authentication request/response messages with the AUSF 1740 to complete bidirectional authentication. Thereafter, the AUSF 1740 transfers the provisioning server address information and the PS token information to the terminal, and the terminal 1710 can acquire the qualification of the SNPN to be accessed from the provisioning server, as shown in FIG. 16 described above.
  • the terminal and the AUSF can perform bi-directional authentication.
  • a proxy was required in consideration of the existing AAA protocol and 5G authentication signaling, or the DCS recognized 5GS and needed to support AUSF and UDM functions.
  • FIGS. 16 and 17 authentication can be performed by requesting authentication information through IP even if AUSF supports the proxy function or DCS recognizes 5GS and does not support AUSF and UDM functions, as described above.
  • FIG. 18 is a diagram illustrating a terminal operation method applied to the present disclosure.
  • the terminal may generate SUCI by encrypting the unique identifier with the public key of the DCS (S1810).
  • the terminal may generate a unique identifier identifiable within the DCS and a terminal certificate issued based on the DCS.
  • At least one of root/intermediary CA certificates of a top-level/intermediate certification authority capable of verifying the public key of the DCS and the certificate of the onboarding network may be obtained in advance, as described above.
  • the terminal may receive the above-described information from the manufacturer during the manufacturing process.
  • the terminal may transmit a registration request including the generated SUCI and the first SNPN ID to the onboarding network (S1820).
  • the first SNPN may be a SNPN to which the terminal wants to access.
  • the AMF of the onboarding network may request authentication from the AUSF including the SUCI and the first SNPN ID.
  • AMF may further provide AUSF with indication information that helps AUSF select an authentication method.
  • AUSF may select an authentication method through at least one of the domain part of the SUCI and the above-described indication information that helps in selecting the authentication method.
  • the AUSF may search the DCS based on the domain part of the SUCI of the terminal and request information necessary for terminal authentication. That is, AUSF may transmit an authentication information request message to DCS.
  • the authentication information request message may include at least one of SUCI and first SNPN ID information.
  • the DCS can decrypt the SUCI received from AUSF using the private key and generate SUPI.
  • the private key of the DCS may be a key paired with a public key used by the terminal to generate the SUCI, through which the DCS can decrypt the SUCI and generate the SUPI.
  • the DCS is a certificate of a top/intermediate certification authority capable of verifying a certificate mapped to the corresponding SUPI, a provisioning server address (PS_address) responsible for authenticating the first SNPN based on the received first SNPN ID, and a provisioning server may create a PS_token to be used for terminal authentication later and send it back to the onboarding network.
  • PS_address a provisioning server address responsible for authenticating the first SNPN based on the received first SNPN ID
  • a provisioning server may create a PS_token to be used for terminal authentication later and send it back to the onboarding network.
  • the terminal may perform bidirectional authentication with the onboarding network.
  • the bidirectional authentication includes the terminal certificate possessed by the terminal, the certificate of the uppermost/intermediate certification authority of the onboarding network, and the Bidirectional authentication may be performed based on at least one of an onboarding network certificate and a certificate of an uppermost/intermediate certification authority of the terminal received from the provisioning server.
  • the terminal may receive PS_address and PS_token from the onboarding network.
  • the terminal transmits a qualification request including a unique identifier and PS_token to the provisioning server based on the received PS_address, (S1850), the qualification of the first SNPN may be provided from the provisioning server.
  • the UE may be dynamically provided with the qualifications of the first SNPN to be accessed, and may access the SNPN.
  • 19 is a diagram illustrating a terminal operation method applied to the present disclosure.
  • the onboarding network may receive a registration request including a SUCI encrypted with a public key of the DCS and a first SNPN from the terminal (S1910).
  • a terminal certificate issued based on the DCS identifier, a public key of the DCS, and a certificate of a top-level / intermediate certificate authority (Root / Intermediary CA Certificates) capable of verifying a certificate of an onboarding network may be obtained in advance.
  • the terminal may receive the above-described information from the manufacturer during the manufacturing process.
  • the first SNPN may be a SNPN to which the UE wants to access.
  • the onboarding network may transmit an authentication information request to the DSC based on the received registration request.
  • the AMF of the onboarding network authenticates to the AUSF by including the SUCI and the first SNPN ID. can request
  • AMF may further provide AUSF with indication information that helps AUSF select an authentication method.
  • AUSF may select an authentication method through at least one of the domain part of the SUCI and the above-described indication information that helps in selecting the authentication method.
  • the AUSF may search the DCS based on the domain part of the SUCI of the terminal and request information necessary for terminal authentication. That is, AUSF may transmit the above-described authentication information request message to DCS.
  • the authentication information request message may include at least one of SUCI and first SNPN ID information.
  • the onboarding network may receive a response including at least one of the first certificate, PS_address, and PS_token based on the authentication information request (S1930).
  • the DCS converts the SUCI received from the AUSF into a private key. It can be decrypted through and generate SUPI.
  • the private key of the DCS may be a key paired with a public key used by the terminal to generate the SUCI, through which the DCS can decrypt the SUCI and generate the SUPI.
  • the first certificate received from the DCS may be a certificate of a top/intermediate certification authority capable of verifying a certificate mapped to the corresponding SUPI.
  • the onboarding network may receive the address (PS_address) of the provisioning server in charge of authentication of the first SNPN based on the first SNPN ID and the PS_token to be used by the provisioning server for terminal authentication later from the DCS, which is as described above same.
  • PS_address the address of the provisioning server in charge of authentication of the first SNPN based on the first SNPN ID and the PS_token to be used by the provisioning server for terminal authentication later from the DCS, which is as described above same.
  • the onboarding network may perform bidirectional authentication with the terminal based on the received response.
  • the bidirectional authentication includes the terminal certificate possessed by the terminal, the certificate of the uppermost/intermediate certification authority of the onboarding network, Bidirectional authentication may be performed based on at least one of an onboarding network certificate possessed by the onboarding network and a certificate of an upper level/intermediate certification authority of the terminal received from the provisioning server.
  • the onboarding network may transmit PS_address and PS_token to the terminal.
  • the terminal transmits a qualification request including a unique identifier and PS_token to the provisioning server based on the received PS_address,
  • the qualification of the first SNPN may be provided from the provisioning server. Through this, the terminal can perform access through the SNPN by dynamically receiving the qualification of the first SNPN to be accessed.
  • Embodiments of the present disclosure may be applied to various wireless access systems.
  • various wireless access systems there is a 3rd Generation Partnership Project (3GPP) or 3GPP2 system.
  • 3GPP 3rd Generation Partnership Project
  • 3GPP2 3rd Generation Partnership Project2
  • Embodiments of the present disclosure may be applied not only to the various wireless access systems, but also to all technical fields to which the various wireless access systems are applied. Furthermore, the proposed method can be applied to mmWave and THz communication systems using ultra-high frequency bands.
  • embodiments of the present disclosure may be applied to various applications such as free-running vehicles and drones.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente divulgation concerne un procédé pour faire fonctionner un terminal dans un système de communication sans fil, le procédé pouvant comprendre les étapes consistant à : générer une SUCI par chiffrement d'un identifiant unique avec une clé publique d'un DCS, par un terminal ; envoyer une demande d'enregistrement comprenant la SUCI générée et un premier ID SNPN à un réseau d'intégration ; effectuer une authentification à deux voies avec le réseau d'intégration ; lorsque l'authentification à deux voies est achevée, recevoir une adresse de serveur de provisionnement (PS_adress) et un jeton de serveur de provisionnement (PS_token) à partir du réseau d'intégration ; transmettre une demande de justificatif d'identité comprenant un identifiant unique et un PS_token à un serveur de provisionnement sur la base de la PS_address reçue ; et recevoir un justificatif d'identité d'un premier SNPN provenant du serveur de provisionnement.
PCT/KR2022/001228 2021-07-22 2022-01-24 Procédé et dispositif pour faire fonctionner un terminal dans un système de communication sans fil Ceased WO2023003113A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US18/571,609 US20240292219A1 (en) 2021-07-22 2022-01-24 Method and device for operating terminal in wireless communication system
EP22845985.5A EP4376461A4 (fr) 2021-07-22 2022-01-24 Procédé et dispositif pour faire fonctionner un terminal dans un système de communication sans fil

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2021-0096542 2021-07-22
KR20210096542 2021-07-22

Publications (1)

Publication Number Publication Date
WO2023003113A1 true WO2023003113A1 (fr) 2023-01-26

Family

ID=84980313

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2022/001228 Ceased WO2023003113A1 (fr) 2021-07-22 2022-01-24 Procédé et dispositif pour faire fonctionner un terminal dans un système de communication sans fil

Country Status (3)

Country Link
US (1) US20240292219A1 (fr)
EP (1) EP4376461A4 (fr)
WO (1) WO2023003113A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024183537A1 (fr) * 2023-03-06 2024-09-12 华为技术有限公司 Procédé et appareil de communication
EP4539399A1 (fr) * 2023-10-11 2025-04-16 Tyco Fire & Security GmbH Déploiement de certificat de dispositif de réseau à l'aide de communications à courte portée

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20230071551A (ko) * 2021-11-16 2023-05-23 삼성전자주식회사 통신 시스템에서 원격 권한 설정을 위한 단말 인증을 위한 방법 및 장치

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021134107A2 (fr) * 2020-05-07 2021-07-01 Futurewei Technologies, Inc. Procédés et appareil de provisionnement de réseau privé pendant la mise en service

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210058784A1 (en) * 2019-11-08 2021-02-25 Intel Corporation User equipment onboarding based on default manufacturer credentials unlicensed

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021134107A2 (fr) * 2020-05-07 2021-07-01 Futurewei Technologies, Inc. Procédés et appareil de provisionnement de réseau privé pendant la mise en service

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "KI#4, New Sol: Simplified Onboarding procedure supporting both User and Control Plane UE Provisioning Procedures", 3GPP DRAFT; S2-2003610, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Elbonia; 20200601 - 20200612, 22 May 2020 (2020-05-22), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051889669 *
HUAWEI, HISILICON: "KI#4, evaluations and conclusions updates", 3GPP DRAFT; S2-2009151, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting; 20201116 - 20201120, 23 November 2020 (2020-11-23), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051958197 *
INTEL, HUAWEI, ALIBABA: "KI #4, Evaluation – UE Onboarding", 3GPP DRAFT; S2-2007854, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. E-meeting; 20201012 - 20201023, 23 October 2020 (2020-10-23), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051948109 *
INTEL: "Updates to solution 14: Removal of Editor’s notes and Evaluation", 3GPP DRAFT; S3-210985, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20210301 - 20210305, 22 February 2021 (2021-02-22), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051980377 *
See also references of EP4376461A4 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024183537A1 (fr) * 2023-03-06 2024-09-12 华为技术有限公司 Procédé et appareil de communication
EP4539399A1 (fr) * 2023-10-11 2025-04-16 Tyco Fire & Security GmbH Déploiement de certificat de dispositif de réseau à l'aide de communications à courte portée

Also Published As

Publication number Publication date
EP4376461A1 (fr) 2024-05-29
EP4376461A4 (fr) 2025-07-09
US20240292219A1 (en) 2024-08-29

Similar Documents

Publication Publication Date Title
WO2023075214A1 (fr) Procédé et appareil pour la prise en charge d'un service d'informatique en périphérie pour un équipement utilisateur en itinérance dans un système de communication sans fil
WO2018231007A1 (fr) Procédé permettant de répondre à une demande et dispositif de réseau
WO2019160390A1 (fr) Procédé de mise à jour de réglage de terminal dans un système de communication sans fil et appareil correspondant
WO2017119802A1 (fr) Procédé pour régler la configuration d'une distribution de données non ip (nidd) dans un système de communication sans fil et dispositif associé
WO2018128528A1 (fr) Procédé pour gérer une session pdu dans un système de communication sans fil et appareil associé
WO2018174516A1 (fr) Procédé de traitement de message nas dans un système de communication sans fil et appareil correspondant
WO2019070100A1 (fr) Dispositif et procédé d'émission ou de réception d'informations dans un système de communication sans fil prenant en charge un découpage de réseau
WO2019031831A1 (fr) Procédé de commande d'accès et équipement utilisateur
WO2018066799A1 (fr) Procédé de sélection de mode de continuité de session et de service dans un système de communication sans fil et dispositif correspondant
WO2018169244A1 (fr) Procédé de notification d'événement de mobilité dans un système de communication sans fil et dispositif correspondant
WO2018066876A1 (fr) Procédé de prise en charge de communication v2x dans un système de communication sans fil
WO2018008980A1 (fr) Procédé permettant de sélectionner une opération de ressource préférée par l'utilisateur dans un système de communication sans fil et dispositif associé
WO2018131984A1 (fr) Procédé de mise à jour de configuration d'ue dans un système de communication sans fil, et appareil associé
WO2018208062A1 (fr) Procédé de sécurisation d'identifiant de connexion d'un équipement utilisateur dans un système de communication sans fil et appareil correspondant
WO2020218807A1 (fr) Schéma de prise en charge de pmf pour session pdu ma
WO2021049841A1 (fr) Procédé permettant de déplacer une session vocale ims sur un accès non 3gpp vers un accès 3gpp
WO2016153130A1 (fr) Procédé et dispositif pour transmettre ou recevoir des données par un terminal dans un système de communication sans fil
WO2017171451A1 (fr) Procédé de transmission de données tamponnées dans un système de communications sans fil, et appareil associé
WO2017039042A1 (fr) Procédé et dispositif de transmission/réception de données de terminal dans un système de communication sans fil
WO2019216546A1 (fr) Procédé et dispositif d'utilisation de ladn dans un système de communication sans fil
WO2021230679A1 (fr) Procédé et appareil d'émission et de réception de signaux dans un système de communication sans fil
WO2021066346A1 (fr) Procédé permettant de déplacer une session de pdu sur un accès non 3gpp vers un accès 3gpp
WO2023003113A1 (fr) Procédé et dispositif pour faire fonctionner un terminal dans un système de communication sans fil
WO2016140403A1 (fr) Procédé et dispositif pour une connexion rrc d'un terminal dans un système de communication sans fil
WO2022080900A1 (fr) Procédé et dispositif pour réaliser une communication sur un réseau de satellites dans un système de communication sans fil

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22845985

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 18571609

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 2022845985

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2022845985

Country of ref document: EP

Effective date: 20240222